anti ip spoofing technique - apricot€¦ · title: anti-ip-spoofing.ppt author: gaurab upadhaya...

Copyright (C) 2006 Internet Initiative Japan Inc. 1

anti IP spoofing technique

MATSUZAKI ‘maz’ Yoshinobu<[email protected]>


ip spoofing

creation of IP packets　with sourceaddresses other thanthose assigned to thathost


Malicious uses with IP spoofing

• impersonation– session hijack or reset

• hiding– flooding attack

• reflection– ip reflected attack


impersonation

sender ip spoofed packet

victim

partner

dst: victim

src: partner

Oh, my partner sentme a packet. I’ll

process this.


hiding

sender

victim

ip spoofed packetdst: victim

src: random

Oops, many packetsare coming. But, who

is the real source?


reflection

senderip spoofed packet

reply

pac

ket

victim

reflectorsrc: victim

dst: reflector

dst:

victim

src:

refle

ctor

Oops, a lot ofreplies withoutany request…


ip reflected attacks

• smurf attacks– icmp echo (ping)– ip spoofing (reflection)– directed-broadcast amplification

• dns amplification attacks– dns query– ip spoofing (reflection)– DNS amplification


amplification

Sender

Sender

1. multiple replies

2. bigger reply


directed-broadcast amplification

Sender

icmp echo request

icmp echo replies


DNS amplification

Sender

ANY　?xxx.example.com

xxx.example.com IN TXT XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

DNS


attacker

ip reflected attacks

ip spoofed packets

repli

es

victim

openamplifier


smurf attack

ip spoofedping

ICMP echo replies

victim

Attacker


dns amplification attack

ip spoofedDNS queries

DNS replies

victim

DNSAttacker

DNS

DNSDNS


relations – dns amp attack

DNSDNS DNS

victim

Command&Control

DNS

DNS

stub-resolvers full-resolversroot-servers

tld-servers

example-servers

botnet

IP spoofedDNS queries


attacker

solutions for ip reflected attacks

ip spoofed packets

repli

es

victim

openamplifier

preventip spoofing

disableopen amplifiers


two solutions

• disable ‘open amplifier’– disable ‘directed-broadcast’– disable ‘open recursive DNS server’

• contents DNS server should accept queries fromeveryone, but service of resolver (cache) DNSserver should be restricted to its customer only.

• prevent ip spoofing!!– source address validation– BCP38 & BCP84


Source Address Validation

• Check the source ip address of ip packets– filter invalid source ip address– filter close to the packets origin as possible– filter precisely as possible

• If no networks allow ip spoofing, we caneliminate these kinds of attacks


our assumption

• ISP/network administrator assign ipaddress for their users.– dynamic or static– DHCP, connectivity service

• Users should use these assigned ipaddress as their source ip address.


close to the origin

10.0.0.0/23

10.0.3.0/24

You arespoofing!

Hmm, thislooks ok...but..

RT.a RT.b

You arespoofing!You are

spoofing!

srcip: 10.0.0.1

srcip: 0.0.0.0

srcip: 10.0.0.1

srcip: 0.0.0.0

×

××

srcip: 0.0.0.0×

You arespoofing!

srcip: 10.0.0.1×

You arespoofing!


how to configure the checking

• ACL– packet filter– permit valid-source, then drop any

• uRPF check– check incoming packets using ‘routing table’– look-up the return path for the source ip

address– loose mode can’t stop ip reflected attacks

• use strict mode or feasible mode


cisco ACL example

customer network 192.168.0.0/24

ip access-list extended fromCUSTMER permit ip 192.168.0.0 0.0.255.255 any permit ip 10.0.0.0 0.0.0.3 any deny ip any any!interface Gigabitethernet0/0 ip access-group fromCUSTOMER in!

point-to-point10.0.0.0/30

ISP Edge Router


juniper ACL example


firewall family inet { filter fromCUSTOMER { term CUSTOMER { from source-address { 192.168.0.0/16; 10.0.0.0/30; } then accept; } term Default { then discard; } }}[edit interface ge-0/0/0 unit 0 family inet]filter { input fromCUSTOMER;}


ISP Edge Router


cisco uRPF example


interface Gigabitethernet0/0 ip verify unicast source reachable-via rx


ISP Edge Router

uRPF


juniper uRPF example


[edit interface ge-0/0/0 unit 0 family inet]rpf-check;


ISP Edge Router

uRPF


multistage verification

CustomerRouter

ISP EdgeRouter

uRPF

uRPF

Customer EdgeRouter

uRPF

• customers knowtheir network.

• good for precise filter

• We can filter spoofedtraffic at earliy stage.


uRPF - failures

• common failures– unused space– private space– wrong address

• asymmetric routing failures– multi-connected network– transit LAN

• special failures– private/non-routed backbone network


unused space

• if there is no filter,these packets keeplooping until ttlexpired....

• fix the routing!• add null routes on

the customer routercustomer network 192.168.0.0/24

ISP Edge Router

192.168.0.0/16 ×

src: 10.0.0.1dst: 192.168.1.1

default

uRPF


private space

• usual case

• bad implementationof NAT

• mis-configuration– router/firewall– networkhome network

(private address)

ISP Edge Router

NAT Router

×

NATdidn’twork

uRPF


wrong IP address

• mobile PC tryingtheir old IP

• mis-configuration– typo

• just spoofing

ISP Edge Router

×


ip: 10.0.0.1

uRPF


multi-connected network

ip address from ISP A192.168.0.0/24

ip address from ISP B172.16.0.0/24

ISP A ISP B

uRPF uRPF

src: 172.16.0.2

×

• PBR can fix this.


transit LAN

uRPF uRPF×

• packets to the router interface may filter

RT.1 RT.2src: externaldst: RT.2 interface


private/non-routed backbone

uRPFbackbone usingprivate address

• backbone hiding technique... but• icmp error messages will be filtered.

– traceroute can’t show the ISP1’s network– this also breaks PMTUD

ISP A ISP B

×


IIJ’s case

• discussion• router capability• policy• problems


internal discussion

• Do we need anti-spoofing in our network?– We heard a rumor that attackers don’t use ip

spoofing anymore in these days.

• Answer is YES.– ip spoofing is still used for attacks.

• dns amplification attacks– preparation for new attacks using ip-spoofing


kubo graph #1


kubo graph #2


router uRPF capability #1

• Cisco– uRPF loose/strict mode

• Cisco 72xx, 75xx– software processing....

• Cisco sup2, sup720– hardware support for uRPF/ACL – one uRPF mode per box



• Cisco 12xxx GSR– depends on engine type of line card– E0,E1: software processing– E2: per physical interface, exclusion ACL– E3: loose mode only– microcode reload...



• Juniper T/M– works fine – ‘feasible’ means ‘set of same length prefixes’

routing tableprefix pref.10.0.0.0/24 10010.0.0.0/24 120

routing tableprefix 10.0.0.0/2410.0.0.0/30

feasible non-feasible


router uRPF capability

• Cisco– depends on box/linecard– uRPF strict/loose mode are supported– some boxes use software processing

• additional 5~20% cpu load

• Juniper– works fine– need some hack to export cflowd data of

discarded traffic


our initial choice

• single homed user– simple – uRPF strict mode or ACL

• multihomed user– bgp customer(ISPs)– enterprise (need for redundancy)– uRPF loose mode

• ・・・ something is better than nothing


IIJ’s policy

peer ISP upstream ISP

customer ISP

multi homedstatic customer

single homedstatic customer

IIJ/AS2497

uRPF strict mode

uRPF loose mode


ACL and uRPF

• ACL– deterministic

• statically configured

– maintenance of access-list • uRPF

– easy to configure – care about asymmetric routing

• strict mode is working well only for symmetric routing• loose mode can’t stop the ip reflected attack• there are few venders support of feasible mode


problems

• uRPF/ACL works fine in most case. – bug, device capability, performance...

• less confidence for uRPF– operations know uRPF, but never use it.– test it!

• unaware of Source Address Validation– why do we need this?


Why do we need?

• Source Address Validation do NOT protectyour users from DoS/Attacks/Etc. directly.

• This reduce malicious activity.– sending ip spoofed packets from your

network.• If no networks allow ip spoofing, we can

eliminate these kinds of attacks.


bogon traffic

150Mbps

36Kpps6Kpps

1.8Mbps


please considerSource

AddressValidation

in your network


END

anti ip spoofing technique - apricot€¦ · title: anti-ip-spoofing.ppt author: gaurab upadhaya...

Documents